How can DDoS attacks be mitigated?

DDoS (Distributed Denial-of-Service) attacks flood your server or network with massive traffic, overwhelming resources and taking services offline. But there are practical steps you can take to detect, absorb, and block these attacks — even on a budget.

Use Rate Limiting at Server Level

One of the first lines of defense is rate limiting — blocking or slowing repeated requests from the same IP address.

For example, using iptables:

sudo iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 -j DROP

Or with Nginx:

http {
  limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

  server {
    location / {
      limit_req zone=one burst=20;
    }
  }
}

This limits users to 10 requests per second with some burst tolerance.

Deploy a Reverse Proxy or CDN

Cloud-based solutions like Cloudflare, Fastly, or BunnyCDN absorb huge amounts of DDoS traffic before it hits your origin server. They offer:

• Global edge caching

• Rate limiting

• Web application firewall (WAF)

• Challenge-based verifications (like CAPTCHA)

Cloudflare’s “I’m under attack mode” is especially effective for Layer 7 HTTP floods.

Use Connection Tracking and SYN Flood Protection

Use kernel-level settings to reduce the impact of SYN floods and fake TCP connections:

sudo sysctl -w net.ipv4.tcp_syncookies=1
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sudo sysctl -w net.ipv4.conf.all.rp_filter=1

These values increase backlog queues and enable SYN cookie protection.

You can make them permanent by editing /etc/sysctl.conf.

GeoIP Filtering and Blacklists

Block traffic from regions that are not relevant to your service using iptables with GeoIP modules or with Nginx + MaxMind GeoIP2:

geoip2 /etc/nginx/GeoLite2-Country.mmdb {
  auto_reload 5m;
  $geoip2_data_country_code default=US source=$remote_addr;
}

map $geoip2_data_country_code $block_country {
  default no;
  CN yes;
  RU yes;
  BR yes;
}

server {
  if ($block_country = yes) {
    return 403;
  }
}

Automated Banning Tools

Use tools like Fail2Ban or CrowdSec to automatically detect and ban suspicious IPs based on patterns:

sudo apt install fail2ban -y

Then configure a simple jail for nginx or ssh brute force protection in /etc/fail2ban/jail.local.

Scaling and Anycast Routing

If you’re running a high-traffic platform, you can mitigate large-scale attacks by:

• Distributing services across multiple servers (horizontal scaling)

• Using Anycast IPs for global load balancing

• Running services behind a load balancer like HAProxy or NGINX+

These techniques absorb DDoS load geographically and improve fault tolerance.